static PyObject *
verify_hmac(PyObject *self, PyObject *args)
{
fko_ctx_t ctx;
char *hmac_key;
int hmac_key_len;
int res;
if(!PyArg_ParseTuple(args, "ks#", &ctx, &hmac_key, &hmac_key_len))
return NULL;
res = fko_verify_hmac(ctx, hmac_key, hmac_key_len);
if(res != FKO_SUCCESS)
{
PyErr_SetString(FKOError, fko_errstr(res));
return NULL;
}
return Py_BuildValue("", NULL);
}
static void
test_loop(int new_ctx_flag, int destroy_ctx_flag)
{
fko_ctx_t ctx = NULL, decrypt_ctx = NULL;
int i, j;
char *spa_data = NULL, encode_buf[100], decode_buf[100];
printf("[+] test_loop(): %s, %s\n",
new_ctx_flag == NEW_CTX ? "NEW_CTX" : "NO_NEW_CTX",
destroy_ctx_flag == CTX_DESTROY ? "DESTROY_CTX" : "NO_DESTROY_CTX");
printf("fko_new(): %s\n", fko_errstr(fko_new(&ctx)));
fko_destroy(ctx);
ctx = NULL;
printf("fko_new(): %s\n", fko_errstr(fko_new(&ctx)));
spa_func_getset_int(&ctx, "fko_set_spa_client_timeout",
&fko_set_spa_client_timeout, "fko_get_spa_client_timeout",
&fko_get_spa_client_timeout, -F_INT, F_INT, 10,
new_ctx_flag, destroy_ctx_flag);
spa_func_getset_short(&ctx, "fko_set_spa_message_type",
&fko_set_spa_message_type, "fko_get_spa_message_type",
&fko_get_spa_message_type, FKO_COMMAND_MSG-F_INT,
FKO_LAST_MSG_TYPE+F_INT, FKO_ACCESS_MSG,
NO_DIGEST, new_ctx_flag, destroy_ctx_flag);
spa_func_int(&ctx, "fko_set_timestamp",
&fko_set_timestamp, -F_INT, F_INT, 10,
new_ctx_flag, destroy_ctx_flag);
for (i=0; i<FCN_CALLS; i++) {
printf("fko_set_spa_message(1.1.1.1,tcp/22): %s\n",
fko_errstr(fko_set_spa_message(ctx, "1.1.1.1,tcp/22")));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
for (i=0; i<FCN_CALLS; i++) {
printf("fko_set_spa_nat_access(1.2.3.4,1234): %s\n",
fko_errstr(fko_set_spa_nat_access(ctx, "1.2.3.4,1234")));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
for (i=0; i<FCN_CALLS; i++) {
printf("fko_set_username(someuser): %s\n",
fko_errstr(fko_set_username(ctx, "someuser")));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
spa_func_getset_short(&ctx, "fko_set_spa_encryption_type",
&fko_set_spa_encryption_type, "fko_get_spa_encryption_type",
&fko_get_spa_encryption_type, FKO_ENCRYPTION_INVALID_DATA-F_INT,
FKO_LAST_ENCRYPTION_TYPE+F_INT, FKO_ENCRYPTION_RIJNDAEL,
NO_DIGEST, new_ctx_flag, destroy_ctx_flag);
spa_func_getset_int(&ctx, "fko_set_spa_encryption_mode",
&fko_set_spa_encryption_mode, "fko_get_spa_encryption_mode",
&fko_get_spa_encryption_mode, FKO_ENC_MODE_UNKNOWN-F_INT,
FKO_LAST_ENC_MODE+F_INT, FKO_ENC_MODE_CBC,
new_ctx_flag, destroy_ctx_flag);
if (ENABLE_GPG_TESTS) {
for (i=0; i<FCN_CALLS; i++) {
printf("fko_set_spa_encryption_type(FKO_ENCRYPTION_GPG): %s\n",
fko_errstr(fko_set_spa_encryption_type(ctx, FKO_ENCRYPTION_GPG)));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
for (i=0; i<FCN_CALLS; i++) {
printf("fko_set_gpg_home_dir(/home/mbr/.gnupg): %s\n",
fko_errstr(fko_set_gpg_home_dir(ctx, "/home/mbr/.gnupg")));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
for (i=0; i<FCN_CALLS; i++) {
printf("fko_set_gpg_recipient(1234asdf): %s\n",
fko_errstr(fko_set_gpg_recipient(ctx, "1234asdf")));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
}
spa_func_getset_short(&ctx, "fko_set_spa_digest_type",
&fko_set_spa_digest_type, "fko_get_spa_digest_type",
&fko_get_spa_digest_type, FKO_DIGEST_INVALID_DATA-F_INT,
FKO_LAST_DIGEST_TYPE+F_INT, FKO_DEFAULT_DIGEST,
DO_DIGEST, new_ctx_flag, destroy_ctx_flag);
spa_func_getset_short(&ctx, "fko_set_raw_spa_digest_type",
&fko_set_spa_digest_type, "fko_get_raw_spa_digest_type",
&fko_get_spa_digest_type, FKO_DIGEST_INVALID_DATA-F_INT,
FKO_LAST_DIGEST_TYPE+F_INT, FKO_DEFAULT_DIGEST,
RAW_DIGEST, new_ctx_flag, destroy_ctx_flag);
spa_func_getset_short(&ctx, "fko_set_spa_hmac_type",
&fko_set_spa_hmac_type, "fko_get_spa_hmac_type",
&fko_get_spa_hmac_type, FKO_HMAC_INVALID_DATA-F_INT,
FKO_LAST_HMAC_MODE+F_INT, FKO_HMAC_SHA256,
NO_DIGEST, new_ctx_flag, destroy_ctx_flag);
printf("Trying encrypt / authenticate step with bogus key lengths...\n");
for (i=-100; i < 200; i += 10) {
for (j=-100; j < 200; j += 10) {
fko_spa_data_final(ctx, ENC_KEY, i, HMAC_KEY, j);
fko_spa_data_final(ctx, NULL, i, HMAC_KEY, j);
fko_spa_data_final(ctx, ENC_KEY, i, NULL, j);
fko_spa_data_final(ctx, NULL, i, NULL, j);
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, NO_PRINT);
spa_calls += 4;
}
}
for (i=0; i<FCN_CALLS; i++) {
printf("fko_spa_data_final(ENC_KEY, 16, HMAC_KEY, 16): %s\n",
fko_errstr(fko_spa_data_final(ctx, ENC_KEY, 16, HMAC_KEY, 16)));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
for (i=0; i<FCN_CALLS; i++) {
printf("fko_get_spa_data(): %s\n",
fko_errstr(fko_get_spa_data(ctx, &spa_data)));
printf(" SPA DATA: %s\n", spa_data == NULL ? "<NULL>" : spa_data);
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
printf("fko_new_with_data(): %s (data: %s)\n",
fko_errstr(fko_new_with_data(&decrypt_ctx, spa_data, NULL,
0, FKO_ENC_MODE_CBC, NULL, 0, FKO_HMAC_SHA256)), spa_data);
/* verify hmac, decrypt, and display ctx all together*/
for (i=0; i<FCN_CALLS; i++) {
display_ctx(decrypt_ctx);
printf("fko_verify_hmac() (1): %s\n",
fko_errstr(fko_verify_hmac(decrypt_ctx, HMAC_KEY, 16)));
printf("fko_decrypt_spa_data() (1): %s\n",
fko_errstr(fko_decrypt_spa_data(decrypt_ctx, ENC_KEY, 16)));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
/* now, separately verify hmac, decrypt, and display ctx */
for (i=0; i<FCN_CALLS; i++) {
printf("fko_verify_hmac() (2): %s\n",
fko_errstr(fko_verify_hmac(decrypt_ctx, HMAC_KEY, 16)));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
/* now decrypt */
for (i=0; i<FCN_CALLS; i++) {
printf("fko_decrypt_spa_data() (2): %s\n",
fko_errstr(fko_decrypt_spa_data(decrypt_ctx, ENC_KEY, 16)));
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
for (i=0; i<FCN_CALLS; i++) {
display_ctx(decrypt_ctx);
ctx_update(&ctx, new_ctx_flag, destroy_ctx_flag, DO_PRINT);
}
/* NULL tests */
fko_set_rand_value(ctx, NULL);
fko_set_rand_value(ctx, NULL);
fko_set_username(ctx, NULL);
fko_set_username(ctx, NULL);
fko_set_spa_message(ctx, NULL);
fko_set_spa_message(ctx, NULL);
fko_set_spa_nat_access(ctx, NULL);
fko_set_spa_nat_access(ctx, NULL);
fko_set_spa_server_auth(ctx, NULL);
fko_set_spa_server_auth(ctx, NULL);
fko_set_spa_data(ctx, NULL);
fko_set_spa_data(ctx, NULL);
spa_calls += 12;
for (i=0; i<FCN_CALLS; i++) {
fko_destroy(ctx);
ctx = NULL;
}
for (i=0; i<FCN_CALLS; i++) {
fko_destroy(decrypt_ctx);
decrypt_ctx = NULL;
}
/* exercise the base64 encode/decode wrapper
*/
fko_base64_encode((unsigned char *)ENC_KEY, encode_buf, 16);
fko_base64_decode(encode_buf, (unsigned char *)decode_buf);
/* call fko_errstr() across valid and invalid values
*/
for (i=-5; i < FKO_LAST_ERROR+5; i++) {
printf("libfko error (%d): %s\n", i, fko_errstr(i));
spa_calls++;
}
return;
}
/* Initialize an fko context with external (encrypted/encoded) data.
* This is used to create a context with the purpose of decoding
* and parsing the provided data into the context data.
*/
int
fko_new_with_data(fko_ctx_t *r_ctx, const char * const enc_msg,
const char * const dec_key, const int dec_key_len,
int encryption_mode, const char * const hmac_key,
const int hmac_key_len, const int hmac_type)
{
fko_ctx_t ctx = NULL;
int res = FKO_SUCCESS; /* Are we optimistic or what? */
int enc_msg_len;
#if HAVE_LIBFIU
fiu_return_on("fko_new_with_data_msg",
FKO_ERROR_INVALID_DATA_FUNCS_NEW_ENCMSG_MISSING);
#endif
if(enc_msg == NULL)
return(FKO_ERROR_INVALID_DATA_FUNCS_NEW_ENCMSG_MISSING);
#if HAVE_LIBFIU
fiu_return_on("fko_new_with_data_keylen",
FKO_ERROR_INVALID_KEY_LEN);
#endif
if(dec_key_len < 0 || hmac_key_len < 0)
return(FKO_ERROR_INVALID_KEY_LEN);
ctx = calloc(1, sizeof *ctx);
if(ctx == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
enc_msg_len = strnlen(enc_msg, MAX_SPA_ENCODED_MSG_SIZE);
if(! is_valid_encoded_msg_len(enc_msg_len))
{
free(ctx);
return(FKO_ERROR_INVALID_DATA_FUNCS_NEW_MSGLEN_VALIDFAIL);
}
/* First, add the data to the context.
*/
ctx->encrypted_msg = strdup(enc_msg);
ctx->encrypted_msg_len = enc_msg_len;
if(ctx->encrypted_msg == NULL)
{
free(ctx);
return(FKO_ERROR_MEMORY_ALLOCATION);
}
/* Default Encryption Mode (Rijndael in CBC mode)
*/
ctx->initval = FKO_CTX_INITIALIZED;
res = fko_set_spa_encryption_mode(ctx, encryption_mode);
if(res != FKO_SUCCESS)
{
fko_destroy(ctx);
ctx = NULL;
return res;
}
/* HMAC digest type
*/
res = fko_set_spa_hmac_type(ctx, hmac_type);
if(res != FKO_SUCCESS)
{
fko_destroy(ctx);
ctx = NULL;
return res;
}
/* Check HMAC if the access stanza had an HMAC key
*/
if(hmac_key_len > 0 && hmac_key != NULL)
res = fko_verify_hmac(ctx, hmac_key, hmac_key_len);
if(res != FKO_SUCCESS)
{
fko_destroy(ctx);
ctx = NULL;
return res;
}
/* Consider it initialized here.
*/
FKO_SET_CTX_INITIALIZED(ctx);
/* If a decryption key is provided, go ahead and decrypt and decode.
*/
if(dec_key != NULL)
{
res = fko_decrypt_spa_data(ctx, dec_key, dec_key_len);
if(res != FKO_SUCCESS)
{
fko_destroy(ctx);
ctx = NULL;
*r_ctx = NULL; /* Make sure the caller ctx is null just in case */
return(res);
}
}
#if HAVE_LIBGPGME
/* Set gpg signature verify on.
*/
ctx->verify_gpg_sigs = 1;
#endif /* HAVE_LIBGPGME */
*r_ctx = ctx;
return(res);
}
